An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Tag Archives: COPPA

FTC recently approved a new COPPA safe harbor program and a new method for obtaining parental consent, providing flexibility to companies striving to comply with COPPA obligations.

The revisions to the COPPA rule that took effect July 2013 expanded COPPA provisions in several ways, including by expanding the definition of “personal information” and clarifying that third party operators are also subject to COPPA compliance obligations. The revised rules also imposed stricter requirements for companies wishing to provide COPPA safe harbor certification and created a mechanism through which companies could submit approval for new methods of obtaining parental consent.

Safe Harbor. Websites that participate in an FTC-approved COPPA safe harbor program will generally be subject to review and disciplinary actions under the program guidelines rather than be subject to a formal FTC investigation and enforcement action. In the amended Rule, the FTC imposed stricter requirements for companies wishing to provide safe harbor certification programs. A potential safe harbor program provider must now provide extensive documentation about the program’s requirements and the organization’s capability to oversee the program during the approval process and, after approval, the program must submit annual reports to the FTC.

On February 12, the FTC announced its approval of the kidSAFE Seal Safe Harbor program, which is designed for child-friendly websites and applications, including kid-targeted games, educational sites, virtual worlds, social networks, mobile apps, tablet devices and other similar interactive services and technologies.

The FTC approved the kidSAFE seal safe harbor program after determining that it had (1) a requirement that participants in the safe harbor program implement substantially similar requirements that provide the same or greater protection for children as those contained in the COPPA Rule; (2) an effective, mandatory mechanism for independent assessment of the safe harbor program participants’ compliance with the guidelines; and (3) disciplinary actions for noncompliance by safe harbor participants.

The kidSAFE Seal program as the first safe harbor program approved under the amended version of the rule. The program joins five other safe harbor certifications previously approved by the FTC: the Children’s Advertising Review Unit of the BBB, the Entertainment Software Rating Board, TRUSTe, Privo Inc. and Aristotle International, Inc.

Parental Verification Methods. The FTC recently approved a new authentication method proposed by Imperium, LLC for verifying the identity of parents who consent to the collection of their children’s data. Imperium proposed a “knowledge-based authentication system,” for its identify verification system ChildGuardOnline, which verifies a user’s identity by asking a series of out-of-wallet challenge questions (e.g., questions which cannot be determined merely by looking in a person’s wallet). Knowledge-based authentication systems are already used by entities that handle sensitive information like financial institutions and credit bureaus. The FTC found this was a reliable method of verification because the questions were sufficiently difficult that a child age 12 and under in the parent’s household could not reasonably ascertain the answers and noted that knowledge-based authentication has already proven reliable in the market place in other contexts.

Previously, the FTC had rejected an application by AssertID Inc. for its ConsentID product, which proposed to verify parental identify by asking that “friends” on the parent’s social media sites vouch for the parental-child relationship. The FTC found that this method was not “reasonably calculated in light of available technology” to ensure the person providing consent was the child’s parent and that the process could easily be circumvented by children who create fake social media accounts. To date, the Imperium methodology of parental consent verification is the only method approved by the FTC that was not in the text of the Rule itself. The other methods for verifying parental consent as provided in the text of the Rule are (a) requesting such consent be provided by written form returned by mail, fax or scanned email; (b) requesting a credit or debit card in connection with a monetary transaction; (c) requesting parent call a toll-free phone number, (d) connect with parent via video-conference, or (e) check a form of ID against a government database.

The FTC recently closed its public comment period for another proposed verification system submitted by iVeriFly. The iVeriFly methodology combines a knowledge-based authentication system similar to the method imposed by Imperium, wherein the program scans non-FCRA consumer databases to generate out-of-wallet questions for the parent to answer. If the parent answers the questions correctly, the iVeryFly system then places a call to the parent requesting that consent be provided through a series of telephone key presses.

Mobile Applications (Apps) are getting increasingly popular among children and teenagers, even very young. Indeed, the Report found out that 11% of the apps sold by Apple have toddlers as their intended audience (Report p. 6). Apps geared to children are often either free or inexpensive, which makes them easy to purchase, even on a pocket-money budget (Report p. 7-8).

As such, according to the Report, these apps seem to be intended for children’s use, and some may even be “directed to children” within the meaning of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s implementing Rule (the Rule). The Rule defines what is a “[w]ebsite or online service directed to children”) at 16 C.F.R. § 312.2. Under COPPA and the Rule, operators of online services directed to children under age 13 of age must provide notice and obtain parental consent before collecting children’s personal information. This includes apps. Yet, the FTC staff was unable, in most instances, to find out whether an app collected any data, or, if it did, the type of data collected, the purpose for collecting it, and who collected or obtained access to such data (Report p. 10).

‘The mobile app market place is growing at a tremendous speed, and many consumer protections, including privacy and privacy disclosures, have not kept pace with this development’ (Report p.3)

Downloading an app on a smart phone may an impact on children’s privacy, as apps are able to gather personal information such as the geolocation of the user, her phone number or a list of contacts, and this, without her parent’s knowledge. Indeed, if app stores and operating systems provide rating systems and controls which allow parents to restrict access to mobile content and features, and even to limit data collection, they do not provide information about which data is collected and whether it is shared. (Report, p. 15)

The Report concludes by recommending that app stores, app developers, and third parties providing services within apps, increase their efforts to provide parents with “clear, concise and timelyinformation” about apps download by children. Parents would then be able to know, before downloading an app, what data will be collected, how it will be used, and who will obtain access to this data (Report p. 17). This should be done by using “simple and short disclosures or icons that are easy to find and understand on the small screen of a mobile device.” (Report p. 3)

The Federal Trade Commission (FTC) is seeking comments from the general public on proposed amendments to the Children’s Online Privacy Protection Rule (COPPA Rule or the Rule).

The Children’s Online Privacy Protection Act (COPPA) was passed in 1998. It required the FTC to issue regulations regarding the collection of children’s personal information by operators of websites or online services directed to children under 13, and to enforce these regulations. The COPPA Rule was issued in November 1999, and became effective on April 21, 2000.

The COPPA Rule required the FTC, no later than April 21, 2005, to do a review of the Rule and to report the results of this review to Congress. The FTC sought public comments in 2005on the Rule, and also sought additional comments on the COPPA Rule’s sliding scale approach to obtaining parental consent, which takes into account how children’s collected information will be used. The FTC announced in April 2006 its decision to retain the COPPA Rule without changes.

In March 2010, the FTC asked the public to comment on whether changes to technology warrant changes to the COPPA Rule. The FTC also held a public roundtable during the comment period to discuss COPPA’s definitions of “Internet,” “website,” and “online service” as they apply to new devices and technologies.

After reviewing these public comments, the FTC is now proposing to amend the COPPA Rule. It proposes to modify some of the Rule’s definitions, and to update the requirements for parental consent, confidentiality and security, and safe harbor provisions. The FTC also proposes to add a new provision addressing data retention and deletion.

Parental Consent (16 CFR 312.5):

(p. 59 and following)

The FTC proposes to eliminate the “email plus” method for parental consent. This method allows operators to obtain verifiable parental consent through an email from the parent, but the email must be coupled with an additional step, such as postal address or telephone number from the parent, and confirming the parent’s consent by letter or telephone.

The FTC found that electronic scans and video conferencing technologies are functionally equivalent to the written and oral methods of parental consent originally recognized by the FTC in 1999. Therefore, the FTC proposes to recognize these two methods as a way to obtain verifiable parental consent.The FTC also proposes to allow operators to collect a form of government-issued identification (driver’s license, truncated social security number) from the parent, as a way to verify the parent’s identity, provided that the parent’s identification is deleted “promptly” once the verification is done (p. 63).

Confidentiality, Security, and Integrity of Personal Information Collected From Children (16 CFR 312.8):

(p. 76 and following)

The Commission proposes to amend § 312.8 to strengthen the provision for maintaining the confidentiality, security, and integrity of personal information. The FTC thus proposes adding a requirement that “operators take reasonable measures to ensure that any service provider or third party to whom they release children’s personal information has in place reasonable procedures to protect the confidentiality, security, and integrity of such personal information.” Indeed, COPPA requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, but does not explain what would be the data security obligations of third parties.

The FTC Commission proposes to amend § 312.8 to add:

“The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. The operator must take reasonable measures to ensure that any service provider or any third party to whom it releases children’s personal information has in place reasonable procedures to protect the confidentiality, security, and integrity of such personal information.”

Safe Harbors (current 16 CFR 312.10, proposed 16 CFR 312.11):

(p. 80 and following)

COPPA established a “safe harbor” for participants in FTC-approved COPPA self-regulatory programs: compliance with these programs serve as a “safe harbor” against an FTC’s enforcement action. Such programs are, for example, the Children’s Advertising Review Unit of the Council of Better Business Bureaus, or TRUSTe.

The FTC proposes to amend paragraph (b)(2) of the safe harbor provisions of the Rule to read:

“An effective, mandatory mechanism for the independent assessment of subject operators’ compliance with the self regulatory program guidelines . At a minimum, this mechanism must include acomprehensive review by the safe harbor program, to be conducted not less than annually, of each subject operator’s information policies, practices, and representations. The assessment mechanism required under this paragraph can be provided by an independent enforcement program, such as a seal program.”

Data Retention and Deletion Requirements (proposed 16 CFR 312.10):

(p. 78 and following)

The FTC proposes to add new data retention and deletion provisions. Operators would retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. Also, operators would have to delete this information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

The new data retention and deletion provision (§ 312.10) would read:

“An operator of a website or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.”

Last week, the Federal Trade Commission released its long-awaited privacy report. Called “Protecting Consumer Privacy in an Era of Rapid Change”, the 79-page preliminary staff report outlines a framework for consumer privacy based on three principles: (1) Privacy By Design; (2) Simplified Choice; and (3) Transparency.

Some of its key proposals include: a “Do Not Track” browser add-on and other changes to consumer privacy choices; broadening the scope “to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers;” and looking at whether COPPA-style consent requirements should apply to teenagers. The FTC is requesting comments on the report by January 31, 2011, and plans to issue a final report later in 2011. Annexed to the report are six pages of questions to which the FTC seeks comments.

The first half of the report discusses the principles of “notice and choice” and “harm” that have formed the basis for the FTC’s privacy-related policy work, educational efforts, and enforcement actions. It also summarizes the FTC’s activities and provides an overview of key issues raised during several years of roundtable discussions involving consumer advocacy groups, businesses, academicians and others. The second half of the report expands on the new principles, which appear to simply consolidate and expand upon the earlier principles – “notice” becomes “transparency”, “choice” becomes “simplified choice”, and “harm” becomes “privacy by design”:

Privacy by Design – Companies are urged to “incorporate substantive privacy and security protections into their everyday business practices and consider privacy issues systemically, at all stages of the design and development of their products and services.” Companies are urged to collect information only for a specific purpose, limit the amount of time that data is stored, use reasonable safeguards, and develop comprehensive, company-wide privacy programs. However, the FTC staff also recognizes that these measures need to be tailored to each company’s data practices – companies that collect limited amounts of non-sensitive data need not implement the same types of programs required by a company that sells large amounts of sensitive personal data.

Simplified Choice – Companies should “describe consumer choices clearly and concisely, and offer easy-to-use choice mechanisms . . .at a time and in a context in which the consumer is making a decision about his or her data.” The FTC is proposing a new “laundry list” approach to determine whether or not companies need to provide choice to consumers. For example, defined “commonly accepted practices” generally will not require choice, whereas other practices may require either (1) some type of choice mechanism; (2) enhanced choice mechanism; or (3) even more restrictions than enhanced consent. As this is designed for both online and offline behaviors, categorizing each company’s practices as “commonly accepted” or not could be a daunting task. A chart below outlines the basics of simplified choice.

Do-Not-Track: The day after the report issued, the Commerce Department’s NTIA testified to Congress that it would be convening industry and consumer groups to discuss the “achieving voluntary agreements” on Do-Not-Track. The FTC would then “ensure compliance with these voluntary agreements, as appropriate.”

Greater Transparency – Companies should “make their data practices more transparent to consumers”. The FTC suggests developing a standardized policy like the notice templates currently developed for financial companies complying with Gramm-Leach-Bliley. The FTC is also considering whether increase the transparency of data broker activities and proposes allowing consumers to access (but not necessarily change) profiles compiled about them from many sources.

Two Commissioners issued concurring statements to the proposed framework. Commissioner Kovacic called some of the recommendations “premature” – including the Do-Not-Track proposal. He also pointed out the report lacked consideration of the existing federal and state oversight of privacy concerns. Commissioner Rauch issued a concurring statement that applauds the report as a useful “horatory exercise”, but criticizes the new approach. He states that it could be overstepping the FTC’s bounds to consider “reputational harm” and “other intangible privacy interests” if no deception is involved.

Stay tuned – there are many privacy developments on the horizon. In remarks delivered with the report, Chairman Liebowitz declared that “despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for Americans consumers.” He signaled that the FTC will be bringing more cases in the coming months – and that cases involving children are of particular interest. In addition, the Commerce Department’s “green paper” on Commercial Data Privacy is expected soon.

The federal Children’s Online Privacy Protection Act (COPPA) already protects the privacy of children under 13, but Schneider has expressed concern that COPPA does not do enough to protect all minors from marketing, particularly prescription-drug and health care product marketing on the web.

The new bill in the works will replace controversial legislation previously introduced by Schneider, signed into law and scheduled to enter into force in September 2009. The first bill, which proposed severe restrictions on marketing to anyone under the age of 18, was subject to a barrage of criticism and several legal challenges. Maine attorney general Janet Mills even declared that she would not enforce the law due to constitutional free speech concerns. (My colleague, Deborah Birnbach, and I covered those developments in a November article in Goodwin Procter’s Privacy & Data Security Advisory newsletter.)

As a result, Schneider has agreed to draft a more narrowly focused measure, with the specific goal of addressing medical information. It will be interesting to see how the new bill balances the protection of privacy with the free-speech concerns brought up by Mills and other critics. A public hearing on the new bill could be scheduled as early as next month, when the state legislature reconvenes.